Product Documentation

SSL session ID persistence

When SSL session ID persistence is configured, the Citrix ADC appliance uses the SSL session ID, which is part of the SSL handshake process, to create a persistence session before the initial request is directed to a service. The load balancing virtual server directs subsequent requests that have the same SSL session ID to the same service. This type of persistence is used for SSL bridge services.

Note:

There are two issues that users should consider before choosing this type of persistence. First, this type of persistence consumes resources on the Citrix ADC appliance, which limits the number of concurrent persistence sessions that it can support. If you expect to support a very large number of concurrent persistence sessions, you might want to choose another type of persistence.

Second, if the client and the load-balanced server should renegotiate the session ID during their transactions, persistence is not maintained, and a new persistence session is created when the client’s next request is received. This may result in the client’s activity on the website being interrupted and the client might be asked to reauthenticate or restart the session. It may also result in large numbers of abandoned sessions if the timeout is set to too large a value.

To configure persistence based on SSL session ID,  see Configuring Persistence Types That Do Not Require a Rule..

Note

SSL session ID persistence is not supported with session tickets.

Backup Persistence Support for SSL session ID

From NetScaler release 12.0 build 56.20, source IP persistence is supported as a backup persistence type for SSL session ID persistence. If the client and load-balanced server renegotiate the session, and source IP persistence is configured as the backup persistence, client requests are forwarded to the same server.

To support backup persistence for SSL session ID, the Citrix ADC appliance creates session entries for both source IP and SSL session ID when a client request is received for the first time. For the subsequent requests containing the same session ID, the SSL session ID is used. However, when the client and the load-balanced server renegotiate the session, the client request is forwarded to the same server by using the Source IP persistence and a new SSL Session ID persistence entry is created.

For information about configuring backup persistence, see Configuring Backup Persistence.

SSL session ID persistence